* set with limit
@ 2024-11-19 12:03 Slavko
2024-11-19 16:06 ` Florian Westphal
0 siblings, 1 reply; 5+ messages in thread
From: Slavko @ 2024-11-19 12:03 UTC (permalink / raw)
To: netfilter
Hi,
with nft v1.0.6 and kernel 5.10.226 i want to limit logging count
by IP. I setup set:
set log_base4 {
typeof ip saddr
size 1000
flags dynamic,timeout
limit rate 1/minute burst 2 packets
timeout 1h
comment "IPv4 base log limit"
}
It is then used in chain:
chain input {
type filter hook input priority filter + 5; policy accept;
...
update @log_base4 { ip saddr } log group 0
}
I see, that set is filled/updated by particular IP:
elements = { X.Y.Z.W timeout 1h expires 59m59s360ms }
But i see 15 lines per minute (it sends packet every 4 sec) for that
IP. I expect max 2 lines per minute...
Please what i did wrong?
--
Slavko
https://www.slavino.sk/
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: set with limit
2024-11-19 12:03 set with limit Slavko
@ 2024-11-19 16:06 ` Florian Westphal
2024-11-19 18:00 ` Slavko
0 siblings, 1 reply; 5+ messages in thread
From: Florian Westphal @ 2024-11-19 16:06 UTC (permalink / raw)
To: Slavko; +Cc: netfilter
Slavko <linux@slavino.sk> wrote:
> with nft v1.0.6 and kernel 5.10.226 i want to limit logging count
> by IP. I setup set:
>
> set log_base4 {
> typeof ip saddr
> size 1000
> flags dynamic,timeout
> limit rate 1/minute burst 2 packets
> timeout 1h
> comment "IPv4 base log limit"
> }
>
> It is then used in chain:
>
> chain input {
> type filter hook input priority filter + 5; policy accept;
> ...
> update @log_base4 { ip saddr } log group 0
> }
>
> I see, that set is filled/updated by particular IP:
>
> elements = { X.Y.Z.W timeout 1h expires 59m59s360ms }
>
> But i see 15 lines per minute (it sends packet every 4 sec) for that
> IP. I expect max 2 lines per minute...
>
> Please what i did wrong?
Looks like 5.10 is too old, listing should show limit expression was
attached, i.e.:
elements = { x.y.z.w limit rate 1/minute burst 2 packets timeout 1h expires 59m55s504ms, ...
... (this is with 6.11.5 and your rules above).
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: set with limit
2024-11-19 16:06 ` Florian Westphal
@ 2024-11-19 18:00 ` Slavko
2024-11-20 8:17 ` Slavko
0 siblings, 1 reply; 5+ messages in thread
From: Slavko @ 2024-11-19 18:00 UTC (permalink / raw)
To: netfilter ML
On 19. novembra 2024 16:06:17 UTC, Florian Westphal <fw@strlen.de> wrote:
>Looks like 5.10 is too old, listing should show limit expression was
>attached, i.e.:
Thanks, i will try with meter tomorrow...
regards
--
Slavko
https://www.slavino.sk/
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: set with limit
2024-11-19 18:00 ` Slavko
@ 2024-11-20 8:17 ` Slavko
2024-11-20 21:49 ` Pablo Neira Ayuso
0 siblings, 1 reply; 5+ messages in thread
From: Slavko @ 2024-11-20 8:17 UTC (permalink / raw)
To: netfilter ML
Dňa 19. 11. o 19:00 Slavko napísal(a):
> On 19. novembra 2024 16:06:17 UTC, Florian Westphal <fw@strlen.de> wrote:
>
>>Looks like 5.10 is too old, listing should show limit expression was
>>attached, i.e.:
>
> Thanks, i will try with meter tomorrow...
Yes, with meter it works:
nft list meter inet filter base_log4
table inet filter {
meter base_log4 {
type ipv4_addr
size 65535
flags dynamic,timeout
elements = { 10.60.65.78 limit rate 1/minute burst 2
packets timeout 1h expires 59m58s208ms }
}
}
thanks again.
--
Slavko
https://www.slavino.sk/
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: set with limit
2024-11-20 8:17 ` Slavko
@ 2024-11-20 21:49 ` Pablo Neira Ayuso
0 siblings, 0 replies; 5+ messages in thread
From: Pablo Neira Ayuso @ 2024-11-20 21:49 UTC (permalink / raw)
To: Slavko; +Cc: netfilter ML
On Wed, Nov 20, 2024 at 09:17:13AM +0100, Slavko wrote:
> Dňa 19. 11. o 19:00 Slavko napísal(a):
> > On 19. novembra 2024 16:06:17 UTC, Florian Westphal <fw@strlen.de> wrote:
> >
> > > Looks like 5.10 is too old, listing should show limit expression was
> > > attached, i.e.:
> >
> > Thanks, i will try with meter tomorrow...
>
> Yes, with meter it works:
>
> nft list meter inet filter base_log4
> table inet filter {
> meter base_log4 {
> type ipv4_addr
> size 65535
> flags dynamic,timeout
> elements = { 10.60.65.78 limit rate 1/minute burst 2
> packets timeout 1h expires 59m58s208ms }
> }
> }
According to your original example, you could use:
set log_base4 {
typeof ip saddr
size 1000
flags dynamic,timeout
limit rate 1/minute burst 2 packets
timeout 1h
comment "IPv4 base log limit"
}
chain input {
type filter hook input priority filter + 5; policy accept;
...
update @log_base4 { ip saddr limit rate 1/minute burst 2 packets } log group 0
}
ie. replace
update @log_base4 { ip saddr } log group 0
by:
update @log_base4 { ip saddr limit rate 1/minute burst 2 packets } log group 0
5.10 is lacking this patch:
commit fca05d4d61e65fa573a3768f9019a42143c03349
Author: Pablo Neira Ayuso <pablo@netfilter.org>
Date: Sat Jan 16 12:26:46 2021 +0100
netfilter: nft_dynset: honor stateful expressions in set definition
^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2024-11-20 21:49 UTC | newest]
Thread overview: 5+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2024-11-19 12:03 set with limit Slavko
2024-11-19 16:06 ` Florian Westphal
2024-11-19 18:00 ` Slavko
2024-11-20 8:17 ` Slavko
2024-11-20 21:49 ` Pablo Neira Ayuso
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox